The chronicles of a Bostonian tech geek navigating through life, technology, and general geekiness.

Menu

Digging deep into the AD DS workstation logon process – Part 2

Today I will continue my analysis of the workstation logon process. Please take a read through Part 1 if you haven’t already. We left off with the workstation obtaining a Kerberos service ticket in order to authenticate to the domain controller to access the SMB share.

Ready? Let’s go!

Source: Domain-joined machine
Destination: Same Site or Closest Site Domain Controller
Connection: TCP
Port: 445
Protocol: SMB
Purpose: The domain-joined workstation requests a new authenticated SMB session with the domain controller and provides its Kerberos service ticket as proof of authentication.
Links:

Source: Domain-joined machine
Destination: Primary DNS Server
Connection: UDP
Port: 53
Protocol: DNS
Purpose: DsGetDcName API issues a DNS query for an SRV record to the domain-joined machine’s primary DNS server for a domain controller offering the Kerberos service within its site using the SRV record of _ldap._tcp.FAKESITE._sites.dc._msdcs.contoso.local. The primary DNS server returns the results of the SRV query.

Source: Domain-joined machine
Destination: Domain Controller resolved from IP returned from previous step
Connection: UDP
Port: 389
Protocol: LDAP
Purpose: DsGetDcName API on domain-joined machine issues a specially crafted LDAP query (referred to by Microsoft as an LDAP Ping) to the domain controller it receives back from the query and then queries the RootDSE for the NetLogon attribute. The detail query is as follows:

The domain controller passes the query to the NetLogon service running on the domain controller which evaluates the query to determine which site the server belongs in. The domain controller returns information about its state and provides the information detailed below (https://msdn.microsoft.com/en-us/library/cc223807.aspx):

Flags:

DSPDCFLAG – DC is PDC of the domain

DSGCFLAG – DC is a GC of the forest

DSLDAPFLAG – Server supports an LDAP server

DSDSFlag- DC supports a DS and is a domain controller

DSKDCFlag DC is running KDC service

DSTimeServFlag – DC is running time service

DSClosestFlag – DC is in the closest site to the client

DSWritableFLag – DC has a writable DS

DSGoodTimeServFlag (0) – DC is running time service

DSNDNCFlag – DomainName is a non-domain NC serviced by the LDAP server

DSSelectSecretDomain6Flag – the server is a not an RODC

DSFullSecretDomain6Flag – The server is a writable DC

DSWSFlag – The Active Directory Web Service is present on the server

DSDNSControllerFlag – DomainControllerName is not a DNS name

DSDNSDomainFlag – DomainName is not a DNS name

DSDNSForestFlag – DnsForestName is not a DNS name

DomainGuid:

DnsForestName: contoso.local

DnsDomainName: contoso.local

DnsHostName: dc2.contoso.local

NetbiosDomainName: CONTOSO

NetbiosComputerName: DC2

Username:

DcSiteName: FAKESITE

ClientSiteName: FAKESITE

NextClosestSIteName: Default-First-Site-Name

The client caches this information to its DCLocator cache.

Source: Domain-joined machine
Destination: Same Site or Closest Site Domain Controller
Connection: TCP
Port: 445
Protocol: SMB
Purpose: The domain-joined workstation sends an SMB TREE CONNECT Request to the domain controller for the IPC$ share accessed by \IPC$. The IPC$ share is used to setup a named pipe for further RPC calls to the service such as allowing the workstation to enumerate the shares available on the server. The domain controller responds with an SMB TREE CONNECT Response providing information about the capabilities of the IPC$ share.
Links:

Source: Domain-joined machine
Destination: Same Site or Closest Site Domain Controller
Connection: TCP
Port: 445
Protocol: SMB
Purpose: The domain-joined workstation sends an SMB IOCTL Request to the domain controller with the control FSCTL_VALIDATE_NEGOTIATE_INFO (0x00140204). This control is used to verify that the domain controller hasn’t changed the authentication mechanism originally negotiated. The domain controller responds with an SMB IOCTL Response confirming the authentication mechanism has not changed. This helps to prevent man in the middle attacks.
Links:

Source: Domain-joined machine
Destination: Same Site or Closest Site Domain Controller
Connection: TCP
Port: 445
Protocol: SMB
Purpose: The domain-joined workstation sends an SMB IOCTL Request to the domain controller with the control FSCTL_QUERY_NETWORK_INTERFACE_INFO (0x001401FC). This control is used to determine whether or not the server has multiple IPs and a new channel should be established. The domain controller responds with an SMB IOCTL Response providing an answer.
Links:

Source: Domain-joined machine
Destination: Same Site or Closest Site Domain Controller
Connection: TCP
Port: 445
Protocol: SMB
Purpose: The domain-joined workstation sends an SMB IOCTL Request to the domain controller with the control SCTL_DFS_GET_REFERRALS (0x00060194). This control requests the DFS referral for the domain-based DNS root. The domain controller responds with an SMB IOCTL Response providing an answer with an entry for the FQDN and NetBios entries.
Links:

Source: Domain-joined machine
Destination: Primary DNS Server
Connection: UDP
Port: 389
Protocol: LDAP
Purpose: The domain-joined workstation sends a DNS query for the A record for the second domain controller record it received back in the initial queries for the various SRV records. The domain controller responds with the answer to the DNS query.

Source: Domain-joined machine
Destination: Domain Controller resolved from IP returned from previous step
Connection: UDP
Port: 389
Protocol: LDAP
Purpose: DsGetDcName API on domain-joined machine issues a specially crafted LDAP query (referred to by Microsoft as an LDAP Ping) to the domain controller it receives back from the query and then queries the RootDSE for the NetLogon attribute. The detail query is as follows:

The domain controller passes the query to the NetLogon service running on the domain controller which evaluates the query to determine which site the server belongs in. The domain controller returns information about its state and provides the information detailed below (https://msdn.microsoft.com/en-us/library/cc223807.aspx):

Flags:

DSPDCFLAG – DC is PDC of the domain

DSGCFLAG – DC is a GC of the forest

DSLDAPFLAG – Server supports an LDAP server

DSDSFlag- DC supports a DS and is a domain controller

DSKDCFlag DC is running KDC service

DSTimeServFlag – DC is running time service

DSClosestFlag – DC is in the closest site to the client

DSWritableFLag – DC has a writable DS

DSGoodTimeServFlag (0) – DC is running time service

DSNDNCFlag – DomainName is a non-domain NC serviced by the LDAP server

DSSelectSecretDomain6Flag – the server is a not an RODC

DSFullSecretDomain6Flag – The server is a writable DC

DSWSFlag – The Active Directory Web Service is present on the server

DSDNSControllerFlag – DomainControllerName is not a DNS name

DSDNSDomainFlag – DomainName is not a DNS name

DSDNSForestFlag – DnsForestName is not a DNS name

DomainGuid:

DnsForestName: contoso.local

DnsDomainName: contoso.local

DnsHostName: DCSERVER.contoso.local

NetbiosDomainName: CONTOSO

NetbiosComputerName: DCSERVER

Username:

DcSiteName: Default-First-Site-Name

ClientSiteName: FAKESITE

NextClosestSIteName: Default-First-Site-Name

The client caches this information to its DCLocator cache.

All right folks, we’re going to break here. My next post will continue with the NetLogon process.

About Me

Hi there! My name is Matt Felton and I am a long time geek with a passion for technology. I have over 15 years experience in the industry that spans the technology stack. Over the past few years I’ve had the opportunity to dig deeper into security and identity which I’ve been more than happy to do.

I started Journey Of The Geek over 6 six years ago when I saw an opportunity to provide in-depth technical deep dives to peel back the onion on technologies and products. I enjoy sharing what I’ve learned and giving back to the industry. Plus there is no better way to learn a topic than to teach it.

I hope you enjoy and if you have questions feel free to reach out via the comments, LinkedIn, or Twitter.

DISCLAIMER

All views expressed on this site are my own and do not represent the opinions of any entity whatsoever of which I have been, am now, or will be affiliated.